[feature] Add Quark-Engine as an APK analyzer

[pulorsok]

Description

Quark-Engine is an APK malware analyzer which can tell what APK does. We believe that Quark as a static analyzer can cooperate very well with Jadx. The user first can take a quick look at the APK malware activities then trace down in source code using Jadx, I think that can greatly improve efficiency for malware analytics.

Here is the scenario :

1. User using Jadx to decompile APK
2. Quark analyze APK then present a potential malware activities report
3. User click on an activity that wants to trace
4. Search and highlight the corresponding smali or java source codes

So far, we have experience with two projects integration (APKLab, ghidraquark)

If you agree to this idea, I will start working on the integration and submit PR when finished.

Additional context

Below are features and reports released recently.

[jpstotz]

Of course for some people that may be of interest. However I fear that for the common Jadx user there is one main problem: the quark-engine bases on Python and Jadx is a pure Java based solution. Therefore I would assume that a large number of Jadx users don't even have Python installed. This applies I would assume for at least 90% of all Windows users. @skylot Does GitHub provide information about the platforms of the users downloading Jadx or is there a different way to determine how the OS distribution is among the Jadx users?

A second problem I see is that Jadx does not yet have some sort of plugin concept. Therefore an integration like ghidraquark which integrates Quark-Engine into Ghidra (which is also Java based like Jadx) is not that easy. Therefore all changes would have to be integrated into Jadx itself. I don't have any experience with Java-to-Python interfaces but from my perspective it would be recommendable that such changes would consist of pure Java code, so that building Jadx will stay as simple as it is at the moment. Do you think this is feasible?

[skylot]

@jpstotz

Does GitHub provide information about the platforms of the users downloading Jadx

No, I don't have such statistics, but I think you are right and most users are on Windows.

For integration, we can just use command line interface and assume that Quark already installed on user machine. So we just run shell command and parse output (Quark can output report in json format), next format report in nice page similar to current APKSignature node. Such integration is quite feasible.

@pulorsok as @jpstotz said right now jadx-gui don't have any plugin concept, so you can implement just a quick proof of concept integration: executing Quark and format report. Features like clicking and navigation can be a little tricky, so I will add them myself.

[piratesephiroth]

Therefore I would assume that a large number of Jadx users don't even have Python installed. This applies I would assume for at least 90% of all Windows users.

Python is mostly used by developers and hobbyists, which I suppose is the same kind of people that uses jadx. So I'd assume that most jadx users also have Python installed on their systems.

[pulorsok]

For integration, we can just use command line interface and assume that Quark already installed on user machine. So we just run shell command and parse output (Quark can output report in json format), next format report in nice page similar to current APKSignature node. Such integration is quite feasible.

The scenario quite as I thought. I will figure out a way to implement that and start working on the POC.

[jpstotz]

@pulorsok The current Quark integration has one main problem at the moment: In case Quark is not installed or can not be found it only logs an error, but shows nothing to the user. I am getting the following two errors on Windows:

ERROR - Quark failed: 
java.io.IOException: Cannot run program "quark": CreateProcess error=2, Das System kann die angegebene Datei nicht finden
    at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1128)
    at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1071)
    at java.base/java.lang.Runtime.exec(Runtime.java:592)
    at java.base/java.lang.Runtime.exec(Runtime.java:451)
    at jadx.gui.ui.QuarkDialog$LoadTask.doInBackground(QuarkDialog.java:211)
    at jadx.gui.ui.QuarkDialog$LoadTask.doInBackground(QuarkDialog.java:186)
    at java.desktop/javax.swing.SwingWorker$1.call(SwingWorker.java:304)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.desktop/javax.swing.SwingWorker.run(SwingWorker.java:343)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: CreateProcess error=2, Das System kann die angegebene Datei nicht finden
    at java.base/java.lang.ProcessImpl.create(Native Method)
    at java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java:478)
    at java.base/java.lang.ProcessImpl.start(ProcessImpl.java:154)
    at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1107)
    ... 11 common frames omitted
ERROR - Quark: Load report failed: 
java.lang.ClassCastException: class com.google.gson.JsonNull cannot be cast to class com.google.gson.JsonObject (com.google.gson.JsonNull and com.google.gson.JsonObject are in unnamed module of loader 'app')
    at jadx.gui.ui.QuarkDialog.loadReportFile(QuarkDialog.java:164)
    at jadx.gui.ui.QuarkDialog.access$500(QuarkDialog.java:35)
    at jadx.gui.ui.QuarkDialog$LoadTask.done(QuarkDialog.java:230)
    at java.desktop/javax.swing.SwingWorker$5.run(SwingWorker.java:750)
    at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:847)
    at java.desktop/sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
    at java.desktop/javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:857)
    at java.desktop/javax.swing.Timer.fireActionPerformed(Timer.java:317)
    at java.desktop/javax.swing.Timer$DoPostEvent.run(Timer.java:249)
    at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313)
    at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
    at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
    at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
    at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
    at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
    at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

Therefore I strongly recommend to add some error dialog, as a button that just does nothing (except of failing silently) is bad user experience.

I also tried to install quark in my Python3.8 environment, however the installation ended up in a total failure because of some conflicting dependencies. Not sure if this is a general quark problem or depends on my Python environment.

A second problem may arise especially on Windows as the Quark integration on Windows expects quark.exe to be present on the PATH. As my attempts to install quark failed I wasn't able to check if Quark provides an EXE file at all to start it, but in general the same way to start a Python script is to my knowledge python3 -m quark and of course it would be best if there would be a way to specify the path to the Python interpreter to use respective the Python virtual environment to be used.

[pulorsok]

Hi @jpstotz thank you for the feedback. I will work on the feature for error message dialogue, and also improve the user experience for quark functionalities (e.g. command option in quark dialogue, more detail for summary report).

Currently, quark has not provided an executable release, and it seems to have some problem when installing quark on Windows, but we are working on that.

[skylot]

TODO list for current implementation:

• [x] Fix usage of jobs in background task
• [x] Don't require pip if Quark already installed
• [x] Auto open Quark report tab on analysis finish
• [x] Add class references to the quark report and sort by confidence
• [x] Move all quark classes to separate package (jadx.gui.plugins.quark)
• [ ] Check commands availability without errors in log
• [ ] Highlight API usage in resolved methods (whole line) and jump directly to these lines
• [ ] Allow searching not resolved methods (open text search)
• [ ] Allow copy method references
• [ ] Don't remove report node on deobfuscation switch and other settings changes